Toward Complete Mobile Device Management

Any iOS administrator with a real deployment in operation can tell you this: Today's MDM solutions are only a fraction of the puzzle. In the real world, a complete solution is much more complicated.

Physical Device Management, specifically imaging and deployment, is the biggest pain point today. For iOS it is all manual work: iTunes, cables, mouse clicks, etc. Alternatives are desperately needed if today's pilots will scale.

Application Management is a pretty sparse field. Companies such as Apperian and AppCentral allow for hosted enterprise app catalogs, but these are disconnected from other management services. MDM providers can offer private app catalogs as well, but these don't offer update services.

File Management, to manage the distribution and policies on centralized files, is relatively new. There are a few nascent tools such as mobilEcho and SilverSync in this space.

The big players today want to own the entire space, one-size-fits-all. They are thinking of what RIM did with BES. But this strategy ends up with a mobile environment without many options for the user. And like it or not, user choice is one of the foundations of the iOS platform. (Think of the App Store with nearly 400,000 apps.)

Instead, I believe we would be better off with a small set of standards that encourage independence and interoperability. Let each company make its choice for file or app or policy management. Encourage innovation and differentiation.

And how does this look?

Automatic Provisioning: I think many of us share the same dream: A newly provisioned device should automatically install certificates, policies, apps, configurations and documents appropriate for that user. Wouldn't that be nice? I don't think it would even be difficult, technically. Apple would need to integrate MDM enrollment into device registration. (Easy for me to say, right?)

Pluggable App Policies: MDM systems are pretty good today for setting up device restrictions, imagine if they were able to reach into application configurations. This is already done for SSL VPNs, where a configuration profile can pass policies to Cisco, Juniper and F5 iOS VPN clients. mobilEcho has a similar model for centralized configuration through their own server. The only way to extend this to the huge number of apps is to create a standard way of plugging into MDM consoles. App developers could, if they wanted to be included, develop their own console plug-in to this spec. Their app would then query the OS for installed MDM profiles and then request an config from the MDM server.

Policy-based Access Controls: File management on iOS is today just way too leaky. Any app can implement "Open In..." with a single line of Objective-C. But "Open In" simply makes another copy somewhere else. This is a policy and version control nightmare. So how many copies of that P&L statement do you want around? Imagine if a consortium of app developers agreed on a standard for policy-based file management. A push is already on for such a standard. I look forward to hearing more about it.

Next week will be a big one for us: How will iOS 5, iCloud, and Lion change this landscape? Stay tuned.